Last week at a conference in Toronto, an attendee came to the Microsoft booth and asked something that has been asked many times in the past. So, I decided to cover it here for everyone’s benefit.
What are the differences between Azure Firewall, Azure Application Gateway, Azure Load Balancer, NSG, Azure Traffic Manager, and Azure Front Door?
Here's a high-level consolidation of what they each do.
The Azure Application Gateway (AAG) is a web traffic manager for your web applications (one or multiple). With AAG, on top of load balancing your workloads, you can make routing decisions based on URI path or host headers. For example, you can route traffic based on the incoming URL. Therefore if /images are in the inbound URL, you can route traffic to a specific set of servers (or pool) configured for images. If /video is in the URL, that traffic is routed to another pool.
AAG includes a web application firewall called Web application firewall (WAF) that protects your workload from common exploits like SQL injection attacks or cross-site scripting attacks, to name a few. This protection uses rules from the Open Web Application Security Project version 3.0 or 2.2.9. However, it is not an L3-L7 stateful firewall.
The Azure Application Gateway can be used to do TLS/SSL termination. TLS/SSL termination can be useful to allow unencrypted traffic between the AAG and the backend servers saving some of the processing load needed to encrypt and decrypt said traffic. However, we strongly recommend against sending unencrypted communications to the servers since in most situations, it is not acceptable due to security requirements, compliance requirements, or the application may only accept a secure connection. In these situations, the Azure Application Gateway also supports end-to-end TLS/SSL encryption.
**This paragraph was corrected by (@heinrichg) Heinrich Gantenbein - Cybersecurity Architect - Microsoft Enterprise Services**
These are just a few of the capabilities of AAG.
Azure Front Door gives you the ability to define, manage, and monitor the global routing for your web traffic (across regions). It optimizes your web traffic globally for performance (lowest latency) and for high-availability by enabling instant fail-over for all your Internet-facing applications hosted inside or outside of Azure. It does so by using several traffic-routing methods (latency, Priority, weighted, and Session Affinity). Just like the Azure Application Gateway Front Door can allow you to route traffic based on URL paths of the request but it does allow for more complex route matching scenarios
Azure Traffic Manager enables you to control how traffic is distributed across your application endpoints. An endpoint can be any Internet-facing endpoint, hosted in Azure or outside Azure. It really provides two key benefits:
- Distribution of traffic according to one of several traffic-routing methods (priority, weighted, performance, geographic, multivalued and subnet).
- Continuous monitoring of endpoint health and automatic failover when endpoints fail.
When an end user attempts to connect to a service endpoint, their client (PC, phone, etc.) must first resolve the DNS name in that endpoint to an IP address. The client then connects to that IP address to access the service. Traffic Manager works at the DNS level. Traffic Manager uses DNS to direct end users to particular service endpoints, based on the chosen traffic-routing method and the current endpoint health. Clients then connect to the selected endpoint directly. Traffic Manager is not a proxy and does not see the traffic passing between the client and the service.
The Azure Load Balancer Load Balancer distributes inbound traffic to a backend pool instances according to rules and health probes. It can also provide outbound connections for virtual machines (VMs) inside your virtual network by translating their private IP addresses to public IP addresses. The Load Balancer is a TCP/UDP load balancing and port forwarding engine only. It does not terminate, respond, or otherwise interact with the traffic. It simply routes traffic based on source IP address and port, to a destination IP address and port.
It can also be deployed both as a Public Load Balancer or an Internal Load Balancer to manage internal traffic.
Azure Firewall is a cloud-based network security service that protects your Azure Virtual Network. It allows you to create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.
Just like any firewall currently found in your own datacenter, it can be used to limit outbound traffic to a specified list of fully qualified domain names (FQDN) including wild cards. So. Really you can set the rules to allow or deny network access by source and destination IP address, port, and protocol and since the Azure Firewall is fully stateful (L3-L7) it can distinguish legitimate packets for different types of connections.
Network Security Groups
Network Security Groups or NSGs allow you to filter traffic to and from your resources in an Azure virtual network. NSG security rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. NSGs can be assigned to subnets or network interfaces in the Resource Manager deployment model. NSGs are not a firewall. They have no visibility in the payload, just the addresses, ports and protocols.
I really hope this makes sense to you. There is some overlap across all these services, however, each is well suited to its own specific scenarios.